HackDig : Dig high-quality web security articles for hacker

When You Wish Upon A Shell Image from wishingshells.com, which I totally need nowBack in February we ran a survey to figure out where you, the savvy penetration tester, would like to see Meterpreter go. As a result, we now have the Meterpreter Wishlist, and have been working steadily off of that for the last few months. As of this week, we have a p

A short, mostly-accurate history of character encodings In the beginning, when you wanted to use a computer to store text, there were not many options - you inherited something from punchcards like EBCDIC or invented something convenient and unique to your system. Computers did not need to talk to each other, so there was not much point in standardizing

The Survey One month ago we asked the community for feedback about how they use Metasploit and what they want to see in the Meterpreter payload suite going forward. Over the course of a week we received over 400 responses and over 200 write-in suggestions for new features. We have spent the last month parsing through your responses, identifying dependen

Metasploit has long supported a mixture of staged and stageless payloads within its toolset. The mixture of payloads gives penetration testers a huge collection of options to choose from when performing exploitation. However, one option has been missing from this collection, and that is the notion of a stageless Meterpreter payload. In this post, I’d l

Stageless MeterpreterRemember the Metasploit Pop Quiz we ran about a month back? Well, we got tons of support from you, the Metasploit users, and have been picking out what you want to see and have started turning those wishes into reality. I know HD, Brent, and OJ are working up a much more exhaustive blog post for next week to lay out what's going where an

Let's Make MeterpreterMetasploit, as you know, is quite near and dear to my heart. But, but it's not mine -- it's yours. This week, we're taking a survey of what features and functionality you want to see, and it's directed specifically to the open source community of both users and developers. If you're purely a Metasploit Pro user, feel free to give your f

Old post on the subject here:http://carnal0wnage.attackresearch.com/2012/10/run-powershell-module-in-meterpreter.htmlMore recent posts on the subject by harmj0yhttp://www.harmj0y.net/blog/powershell/derbycon-powershell-weaponization/Anyway, #2 from The PowerShell Weaponization Problem works ok if you don't care about the code being on diskGist with the comma

This post is the twelfth in a series, 12 Days of HaXmas, where we usually take a look at some of more notable advancements and events in the Metasploit Framework over the course of 2014. As this is the last in the series, let's peek forward, to the unknowable future.Happy new year, it's time to make some resolutions. There is nothing like a fresh new year ge

This post is the elenth in a series, 12 Days of HaXmas, where we take a look at some of more notable advancements and events in the Metasploit Framework over the course of 2014.Hello everyone and Happy HaXmas (again) and New Year! On this HaXmas I would like to share with all you a new feature which I'm personally very happy with. It's nothing super new and

This post is the fifth in a series, 12 Days of HaXmas, where we take a look at some of more notable advancements and events in the Metasploit Framework over the course of 2014. Writing portable software is not hard. It's just like walking through a minefield! Getting to the other side, that's the tricky part. Sure, if you target C, Unix-like system

So you pwned the system and got root access, awesome but what's next? Oh, I need to get the /etc/passwd and /etc/shadow out for a start. Ok how?There are a couple of ways to do it:1. Meterpreter's 'download' commandIt's great if you're using meterpreter as the payload. Simple and hassle free. Just 'cd' and 'pwd' through the victim machine's directory withou

Meterpreter Updates This week, we saw another slew of updates to Metepreter to make your post-exploit experience all the more pleasant, and are pushing forward with some core release changes to hopefully make installing Metasploit a more sane, Ruby-like experience. Here's the rundown of what you'll see with this update, and what you can expect Real Soon

Hopping Meterpreter Through PHP This week, Metasploit landed and shipped the new Reverse HTTP hop stager for Meterpreter payloads, which opens up yet another avenue for pivoting about the Internet to connect to your various and sundry Meterpreter shells. This is kind of a huge deal. For starters, this obviously helps with crossing artificial border